A sophisticated and very patient threat group behind a global malvertising scheme is using so-called aged domains to skirt past cybersecurity tools and catch victims in investment scams.
The attackers behind the CashRewindo campaign in many ways operate in the same way as other malvertising crooks. They inject malicious code into digital advertisements on legitimate ad networks, using the infected ads to steer website visitors to pages that may install malware or run scams.
Cybercriminals who run malvertising campaigns typically will spin up a domain and quickly put it into use.
However, CashRewindo has domains that have been registered for years and are left dormant, not activating them – updating certificates and assigning a virtual server – until right before launching the malvertising campaign, according to researchers at Confiant, whose tools protect companies’ online reputation.
Confiant has been tracking CashRewindo – which was first detected in 2018 – for two years, Daniel Fonseca Yarochewsky, security software engineer at the vendor, wrote in a report this week
Aged domains are not new or illegal. A quick Google search shows where people can buy abandoned domains, which still have plenty of backlinks pointing to them, before they expire. Smaller businesses buy them to more quickly launch a website and capture traffic already associated with the domain.
CashRewindo is patient, aging the domains before putting them to use. In all, Confiant linked 486 domains to the group, with some having been registered as long as ago as 2006 but not activated until this year. Others were activated weeks after being registered.
“We speculate that either they buy these from reputation-building markets, or wait around for them to age, likely the former,” Yarochewsky wrote. “Being outsourced or not, this technique is able to bypass security systems that classify registration timing as reputable.”
The technique works because such domains – being older with no history of malicious activity – are trusted and thus less likely to be considered suspicious by security software.
Melissa Bischoping, director of endpoint security research at Tanium, told The Register that research shows at least 20 percent of aged domains could be classified as suspicious. Such techniques require an investment of time and money by the attacker, who may be continually buying and aging domains in the background while running other operations in the meantime.
Given that, the technique is likely to be used by criminals with long term operations or those who are aging the domains to be sold to other threat groups, Bischoping said.
“An attacker who invests time in domain aging is more likely to be running an established and more sophisticated operation,” she said. “As an example, the APT behind SolarWinds used years-old domain names in their operation.”
Javvad Malik, security awareness advocate for KnowBe4, told The Register that “criminals will often set up such domains or fake profiles on social media sites like LinkedIn and then not do anything malicious for long periods of time before they undertake their actions. It highlights the lengths that criminals will go to avoid detection by security technologies.”
Confiant recorded more than 1.5 million CashRewindo impressions over 12 months, with more than three-quarters hitting Windows devices. The group’s attacks touched on more than 100 countries throughout Europe, North and South America, Africa, the Middle East, and Asia. The countries with the most impressions were from Eastern Europe.
CashRewindo’s malvertising campaigns are tailored to specific regions, from using the local language, currency, and photos placed on the page, according to Yarochewsky.
The attackers do not rely only on domain aging to evade detection. The group also switches between scam ads and innocuous wording to avoid triggering software that detects “strong language,” Yarochewsky wrote. At the start of a campaign, CashRewindo uses innocuous ads before switching to “call-to-action” ads later.
The attackers also put a small red circle in the middle of images to throw off computer vision detection tools. In addition, they target particular victims, determined through the language, time zone, and device platform used on the systems.
If someone not part of the targeted audience hits the “Click Here” button, they are directed to an innocuous site. Those targeted people who click the button trigger the malicious JavaScript code in the WSS, another step for evading detection.
From there the victim is sent to a scam page and then redirected to a platform hawking fake cryptocurrency investments.
Tanium’s Bischoping said that protecting against such a campaign calls for a combination of tools, from next-generation firewalls and DNS filtering to email threat protection and threat intelligence feeds. ®